Shulou(Shulou.com)06/03 Report--

Https function 1 the https function of the ssl configuration parameter nginx is based on the module ngx_http_ssl_module, so if you compile and install nginx, you need to enable the nginx parameter-with-http_ssl_module to enable the ssl function, but as the kernel configuration function of nginx, the nginx installed by yum is enabled by default. Official file: https://nginx.org/en/docs/http/ngx_http_ssl_module.html configuration parameters are as follows: ssl on | whether to enable the ssl feature for the specified virtual host configuration. This feature is discarded at 1.15.0 and replaced by "listen [ssl]. Ssl_certificate / path/to/file; # the public key of the current virtual host is like the private key of the ssl_certificate_key / path/to/file; # current virtual host, and the public key of the current virtual host is ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2] # none supports the ssl protocol version, formerly ssl, now TSL. Default is the last three ssl_session_cache off | none | [builtin [: size]] [shared:name:size] # configure ssl cache off: disable cache none: notify the client to hold the ssl session cache, but not actually hold the builtin [: size]: make the OpenSSL built-in cache, private for each worker process [shared:name:size]: to make the cache shared between each worker, you need to define a cache name and cache space cache. The cache can store 4000 session information, and multiple virtual hosts can make the cache name the same. Ssl_session_timeout time # client connection can repeat "valid time cached in ssl session cache" Default 5m2 self-signed certificate # self-signed CA certificate [root@CentOS7-01 ~] # cd / apps/nginx/ [root@CentOS7-01 nginx] # mkdir certs [root@CentOS7-01 nginx] # cd certs [root@CentOS7-01 certs] # openssl req-newkey rsa:4096-nodes-sha256-keyout ca.key-x509-days 3650-out ca.crtGenerating a 4096 bit RSA private key.++. + + writing new private key to 'ca.key'-You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name ora DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value If you enter'.', the field will be left blank.-Country Name (2 letter code) [XX]: CN # country Code, see: https://country-code.clState or Province Name (full name) []: BeiJing # Provincial Locality Name (eg, city) [Default City]: BeiJing # City name Organization Name (eg, company) [Default Company Ltd]: abc # Company name Organizational Unit Name (eg, section) []: IT # Department name Common Name (eg Your name or your server's hostname) []: hechunping # Common name Email Address []: 742384103@qq.com # mailbox [root@CentOS7-01 certs] # lsca.crt ca.key# homemade key and csr file [root@CentOS7-01 certs] # openssl req-newkey rsa:4096-nodes-sha256-keyout www.hechunping.tech.key-out www.hechunping.tech.csrGenerating a 4096 bit RSA private key. .. + +. + + writing new private key To 'www.hechunping.tech.key'-You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name ora DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value If you enter'.', the field will be left blank.-Country Name (2 letter code) [XX]: CNState or Province Name (full name) []: BeiJingLocality Name (eg, city) [Default City]: BeiJing Organization Name (eg, company) [Default Company Ltd]: abcOrganizational Unit Name (eg, section) []: ITCommon Name (eg) Your name or your server's hostname) []: hechunpingEmail Address []: 742384103@qq.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []: # it's empty here. An optional company name []: # Ibid [root@CentOS7-01 certs] # lltotal 16 root root 2090 Jan 5 21:05 ca.crt-rw-r--r-- 1 root root 3272 Jan 5 21:05 ca.key-rw-r--r -- 1 root root 1736 Jan 5 21:11 www.hechunping.tech.csr-rw-r--r-- 1 root root 3272 Jan 5 21:11 www.hechunping.tech.key# Certificate [root@CentOS7-01 certs] # openssl x509-req-days 3650-in www.hechunping.tech.csr- CA ca.crt-CAkey ca.key-CAcreateserial-out www.hechunping.tech.crtSignature oksubject=/C=CN/ST=BeiJing/L=BeiJing/O=abc/OU=IT/CN=hechunping/emailAddress=742384103@qq.comGetting CA Private Key# Verification Certificate content [root@CentOS7-01 certs] # openssl x509-in www.hechunping.tech.crt-noout-textCertificate: Data: Version: 1 (0x0) Serial Number: c6:bd:85:07:5d:3c:bc:54 Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN ST=BeiJing, L=BeiJing, O=abc, OU=IT, CN=hechunping/emailAddress=742384103@qq.com Validity Not Before: Jan 5 13:13:08 2020 GMT Not After: Jan 2 13:13:08 2030 GMT Subject: C=CN, ST=BeiJing, L=BeiJing, O=abc, OU=IT CN=hechunping/emailAddress=742384103@qq.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) .3 nginx certificate configuration [root@CentOS7-01 certs] # cat / apps/nginx/conf/vhosts/pc.conf server {listen 80 Listen 443 ssl; ssl_certificate / apps/nginx/certs/www.hechunping.tech.crt; ssl_certificate_key / apps/nginx/certs/www.hechunping.tech.key; ssl_session_cache shared:sslcache:20m; ssl_session_timeout 10m; server_name www.hechunping.tech; location / pc {root html;}} [root@CentOS7-01 certs] # systemctl reload nginx access Test

4 to realize the function of multiple domain names based on a single IP, and to implement HTTPS on the basis of a single IP and multiple domain names, is actually based on the SNI (Server Name Indication) function of Nginx. The purpose of SNI is to solve the function of binding multiple domain names and certificates within a Nginx server. Its specific function is that the client sends the domain name (Hostname) to visit the site before connecting to the server to build a SSL link. In this way, the server returns an appropriate certificate to the client according to the domain name. # make key and csr files [root@CentOS7-01 certs] # openssl req-newkey rsa:4096-nodes-sha256-keyout news.hechunping.tech.key-out news.hechunping.tech.csrGenerating a 4096 bit RSA private key. . +. . .... + + writing new private key to 'news.hechunping.tech.key'-You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name ora DN.There are quite A few fields but you can leave some blankFor some fields there will be a default value If you enter'.', the field will be left blank.-Country Name (2 letter code) [XX]: CNState or Province Name (full name) []: BeiJingLocality Name (eg, city) [Default City]: BeiJingOrganization Name (eg, company) [Default Company Ltd]: xyzOrganizational Unit Name (eg, section) []: ITCommon Name (eg) Your name or your server's hostname) []: hechunpingEmail Address []: 742384103@qq.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []: An optional company name []: # signing certificate [root@CentOS7-01 certs] # openssl x509-req-days 3650-in news.hechunping.tech.csr-CA ca.crt-CAkey ca.key-CAcreateserial-out news.hechunping.tech.crtSignature oksubject=/C=CN/ST=BeiJing/L=BeiJing/O=xyz/OU=IT/CN=hechunping/emailAddress=742384103@qq.comGetting CA Private Key# verifies certificate content [root@CentOS7-01 certs] # openssl x509-in news.hechunping.tech.crt-noout-textCertificate: Data: Version: 1 (0x0) Serial Number: c6:bd:85:07:5d:3c:bc:55 Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN ST=BeiJing, L=BeiJing, O=abc, OU=IT, CN=hechunping/emailAddress=742384103@qq.com Validity Not Before: Jan 5 13:52:00 2020 GMT Not After: Jan 2 13:52:00 2030 GMT Subject: C=CN, ST=BeiJing, L=BeiJing, O=xyz, OU=IT CN=hechunping/emailAddress=742384103@qq.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit). # nginx configuration Certificate [root@CentOS7-01 certs] # cat / apps/nginx/conf/vhosts/news.conf server {listen 80 Listen 443 ssl; ssl_certificate / apps/nginx/certs/news.hechunping.tech.crt; ssl_certificate_key / apps/nginx/certs/news.hechunping.tech.key; ssl_session_cache shared:sslcache:20m; ssl_session_timeout 10m; server_name news.hechunping.tech; location / pc {root html;}} [root@CentOS7-01 certs] # systemctl reload nginx# access Test

With regard to the icon that appears when the browser favorites the favicon.icofavicon.ico address, when the client asks the browser to ask for it, the browser will initiate a request to obtain the favicon.ico item, but when the favicon.ico item requested by the browser does not exist, the server will record the 404 blog, and the browser will display the 404 error. The solution is to save the icon to the specified directory [root@CentOS7-01 ~] # cat / apps/nginx/conf/vhosts/pc.conf server {listen 80; server_name www.hechunping.tech; location = / favicon.ico {root html/image;} location / pc {root html;}} [root@CentOS7-01 ~] # systemctl reload nginx

Security option 1 hide nginx version number change nginx source code information Change the nginx service version number to HCPWS/1.1 and recompile nginx [root@CentOS7-01 nginx-1.16.1] # sed-ir 's#Server: nginx#Server: HCPWS/1.1#' / root/nginx-1.16.1/src/http/ngx_http_header_filter_ module.c [root @ CentOS7-01 nginx-1.16.1] # nginx- Vnginx version: nginx/1.16.1built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017TLS SNI support enabledconfigure arguments:-prefix=/apps/nginx-- with-http_ssl_module-- with-http_v2_module-- with-http_realip_module-- with-http_addition_module-- with-http_image_filter_module-- with-http_geoip_module-- with-http_gunzip_module-- with-http_stub_status_module-- with-http_ Gzip_static_module-with-pcre-with-stream-with-stream_ssl_module-with-stream_realip_module-add-module=/usr/local/src/echo-nginx-module [root@CentOS7-01 nginx-1.16.1] #. / configure-- prefix=/apps/nginx-- with-http_ssl_module-- with-http_v2_module-- with-http_realip_module-- with-http_addition_module-- with-http_image_filter _ module-- with-http_geoip_module-- with-http_gunzip_module-- with-http_stub_status_module-- with-http_gzip_static_module-- with-pcre-- with-stream-- with-stream_ssl_module-- with-stream_realip_module-- add-module=/usr/local/src/echo-nginx-module [root@CentOS7-01 nginx-1.16.1] # make-j lscpu | awk 'NR==4 {print $2}' & & make install [root@CentOS7-01 nginx-1.16.1] # systemctl restart nginx access Test

2 upgrade Openssl version "dirty" (English: Heartbleed), also referred to as "dirty" vulnerability, is a security vulnerability in the cryptographic library OpenSSL, which is commonly used to implement the transport layer security (TLS) protocol of the Internet. It was introduced into the software in 2012 and was disclosed to the public in April 2014. As long as it is a defective OpenSSL instance, whether it is a server or a client, it may be subject to *. The reason for this problem is that the input input is not properly validated when implementing TLS's hop extension (lack of boundary checking), so the name of the vulnerability comes from "hop" (heartbeat). The program error belongs to buffer overreading, that is, more data that can be read should be allowed to read. Upgrade step 1) View the current Openssl version

2) download the OpenSSL source package and extract [root@CentOS7-01 nginx-1.16.1] # wget-P / usr/local/src/ https://www.openssl.org/source/openssl-1.1.1d.tar.gz[root@CentOS7-01 nginx-1.16.1] # tar xf / usr/local/src/openssl-1.1.1d.tar.gz 3) compile and install nginx and specify the path of the new version OpenSSL [root@CentOS7-01 nginx-1. ] # nginx-Vnginx version: nginx/1.16.1built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017TLS SNI support enabledconfigure arguments:-- prefix=/apps/nginx-- with-http_ssl_module-- with-http_v2_module-- with-http_realip_module-- with-http_addition_module-- with-http_image_filter_module-- with-http_geoip _ module-with-http_gunzip_module-- with-http_stub_status_module-- with-http_gzip_static_module-- with-pcre-- with-stream-- with-stream_ssl_module-- with-stream_realip_module-- add-module=/usr/local/src/echo-nginx-module [root@CentOS7-01 nginx-1.16.1] #. / configure-- prefix=/apps/nginx-- with-http_ssl_module-- with-http_v2_ Module-with-http_realip_module-with-http_addition_module-with-http_image_filter_module-with-http_geoip_module-with-http_gunzip_module-with-http_stub_status_module-with-http_gzip_static_module-with-pcre-with-stream-with-stream_ssl_module with-stream_realip_module add-module=/usr/local/src/echo-nginx-module add-module=/usr/local/src/echo-nginx-module with-openssl= . / openssl-1.1.1d [root@CentOS7-01 nginx-1.16.1] # make-j lscpu | awk 'NR==4 {print $2}' & & make install [root@CentOS7-01 nginx-1.16.1] # systemctl restart nginx verification

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.